From: mose <mo...@ti...> - 2007-10-12 02:40:33
|
oops, forgot to put users mailinglist in copy of this important announce.. ----- Forwarded message from mose <mo...@ti...> ----- > Date: Fri, 12 Oct 2007 04:39:02 +0200 > From: mose <mo...@ti...> > To: Tikiwiki developers <tik...@li...> > Subject: Re: [Tikiwiki-devel] sec vuln > > le Fri, Oct 12, 2007 at 12:24:22AM +0200 par mose : > > - finally Nelson Koth handled the release process, so now we have a > 1.9.8.1 available on sourceforge: > > https://sourceforge.net/project/showfiles.php?group_id=64258&package_id=112134&release_id=546283 > > This is a very nasty flaw on a file that was not even optional so it > can be exploited on any version of tiki since 1.9.1 where tikisheet > have been introduced. > > You must upgrade your tikiwiki installation and warn people that could > be concerned: > > * either grab that new release and upgrade as wsual, there are only > few file changes and no db upgrade to perform/ > > * either only upgrade the faulty file, namely tiki-graph_formula.php > by replacing yours by the one you'll get on : > http://tikiwiki.cvs.sourceforge.net/*checkout*/tikiwiki/tiki/tiki-graph_formula.php?revision=1.1.2.3 > or by using cvs: > cvs up tiki-graph_formula.php > > The 1.10 branch is also impacted and fixed same way, so > cvs up tiki-graph_formula.php is advised for HEAD users. > > There have been some days between the fix and the release, and it has > already been exploited by malevolent scripts/bots/kids/whatever. > > Upgrade your tikiwiki version, fast. > > Thanks Nelson of the work on the packaging and release process, and to > sylvie and marc that also helped in the operation. > > > cheers, > mose > > ----- End forwarded message ----- |